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SUMMARY 


PCI DSS 1.2 — 
CHANGES AND HOW IT AFFECTS YOUR BUSINESS 


Overview 


PCI DSS 1.2 is considered a minor update to the current DSS version 1.1. PCI DSS 1.2 has the same 12 
requirements as did 1.1 and no new requirements have been added. The intent of 1.2 is mainly to clarify the 
existing requirements and provide some flexibility in terms of interpretation of the standard. 


Important Dates 


10/01/2008 - 1.2 Release Date 

10/01/2008 - 1.2 Effective Date (All new assessments after this date should use 1.2) 
12/31/2008 - 1.1 Sunset Date (All 1.1 assessments should be completed before this date) 
03/31/2009 - New WEP implementations are not allowed after this date 

06/30/2010 - All WEP implementations must be discontinued as of this date 


Changes and New Requirements in PCI DSS 1.2 


e Segmentation of network, although not a requirement, the council provided guidance around 
scope of PCI DSS and elaborated on segmentation of Card Holder Data Environment. Segmentation 
of network helps isolate cardholder data environments and provides better controls and thus 
reduces the scope of devices that come under the PCI DSS. 


e For wireless, the council clarified requirements around use of wireless technology and provided 
sunset date for use of WEP. Wireless networks should now be implemented using industry best 
practices like IEEE 801.11X. 


e Requirement 6.6 for web application security is now mandatory in 1.2. Additional clarification was 
provided to remove references to source code review and add use of automated assessment tools. 


e Changes in best practices: 1) firewall rule set audit is needed every 6 months (vs. 90 days in 1.1), 
2) visit to offsite storage location is required annually and 3) review and acceptance of security 
policy by employees interacting with cardholder data is required annually. 


e Updated the sampling guidelines for assessments and made it more exhaustive across multiple 
business locations and technologies. 


e Announcement of Quality Assurance (QA) program for assessors (QSA, ASV, PA-QSA) to help 
promote consistency across assessments and provide merchants with good quality assessments. 
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e Additional documentation in 1.2 include 1) detail documentation of cardholder data environment 
e.g. list of all tables/files containing cardholder data and 2) compensating controls should be 
documented, reviewed and validated by an assessor annually. 


Future Improvements for PCI DSS 


e PCI 1.2 is still largely focused on securing the perimeter to stop bad guys from getting in. There is 
a desire in the security community to see more requirements around addressing internal threats. 


e The current DSS only addresses requirements around storage of cardholder data after authorization, 
but is still largely silent about storage of data before authorization. 


e New challenges like virtualization will need to be addressed in the near future as well. 


PCI DSS 1.2 Changes to the 12 Requirements 
Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data 


e Now talks about firewall as well as router configurations. 
e Review configuration and rule sets every 6 months instead of every quarter. 


Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security 
Parameters 


e Wireless requirements apply only to networks touching cardholder data. 
e Remove mention of WEP. 


Requirement 3: Protect Stored Cardholder Data 


e |f disk encryption is used, make sure it’s separate from the OS encryption. 


Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks 


e Wireless networks should now be implemented using industry best practices like IEEE 801.11X. 

e New WEP implementations not allowed after March 31, 2009. Ideally should not be implemented 
anymore. 

e All WEP implementations must be discontinued as of June 30, 2010. 

e Disallow sending unencrypted PAN info in all end-user messaging systems like IM, chat and SMS 
and not just in e-mails. 


Requirement 5: Use and Regularly Update Anti-Virus Software 


e Expand definition of antivirus to include all known types of malware like Trojans, worms, rootkits, etc. 


SUMMARY: PCI DSS 1.2 Changes and How It Affects Your Business page 3 


Requirement 6: Develop and Maintain Secure Systems and Applications 


e Patching can now be risk based instead of fixed 30 days for all systems in scope. 

e Organization can identify highest risk systems and patch those in 30 days and then focus on 
patching of lower risk systems. 

e All custom code must be developed as per latest OWASP guidelines at time of development. 

e Incorporate source code review as part of regular software development life cycle (SDLC). The 
code can be reviewed by trained, independent internal team or specialized external tools/organizations. 

e Source code review removed from requirement 6.6. For ongoing protection of public facing web 
applications, either of the following can be used: 

1. Regular use of automated or manual application vulnerability assessment tools or 
methods. (can be performed by trained, independent internal team or specialized 
external tools/organizations) 

2. Properly configured web application firewall with capabilities in line with the special 6.6 
information supplement released by the council. 


Requirement 7: Restrict Access to Cardholder Data by Business Need-to-Know 


e No major changes. 


Requirement 8: Assign a Unique ID to Each Person with Computer Access 


e Testing must verify that passwords are unreadable in both storage and transmission. 


Requirement 9: Restrict physical Access to Cardholder Data 


e Visit in-scope offsite storage facility at least once per year. 

e Removable electronic media as well as paper media (fax, printouts, etc.) must be secured. 

e Cameras need to be used only for storage facilities and datacenters and not POS locations. 

e For purpose of PCI, a contractor is treated same as employee and same access requirements 
apply. 


Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data 


e Must copy logs from external facing devices to a secure internal location. 
e Minimum 3 months of logs must be immediately available (within reasonable time) for analysis. 


Requirement 11: Regularly Test Security Systems and Processes 


e Wireless IDS/IPS can be used as an option to wireless analyzer as long as it is correctly setup to 
alert someone when there is an incident. 

e Approved Scanning Vendor (ASV) must be used to perform quarterly external network vulnerability 
scans. 

e Penetration testing must occur on external as well as internal devices. ASV not required for 
penetration test. 
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Requirement 12: Maintain a Policy That Addresses Information Security 


e Develop usage policies for employee-facing technologies including everything from USB drives to 
PDA and iPhone. 

e Employees interacting with cardholder data must read and acknowledge security policies at least 
once a year. 

e Clarify language around relationship with service providers and maintain written agreement with 
service provider detailing their responsibilities around cardholder data. 

e Changes in this requirement also seems to suggest that merchant’s PCI compliance is not held up 
if service provider is not PCI compliant as long as the service provider is in the process of becoming 
PCI compliant and the merchant monitors the progress on an ongoing basis. 
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